Dev Solve

English

中文
日本語

English

中文
日本語

Appearance

Related Posts

APNs Server Certificate Update 2025: Firebase and Third-Party Provider Impact

Flutter FirebaseError: 'FirebaseAppPlatform.verifyExtends' Member Not Found

Firebase Google Auth: Cross-Origin-Opener-Policy Error Fix

Resolving java.lang.IllegalAccessError with Kotlin KAPT and Firebase

FirebaseOptions Loading Error in Flutter

Server Trust Store Update for Apple's New APNs Root Certificate

Understanding the Apple APNs Root CA Change

Apple announced a critical update to their Apple Push Notification service (APNs) infrastructure:

"The Certification Authority (CA) for APNs is changing [...] All developers using APNs will need to update their application's Trust Store to include the new server certificate: SHA-2 Root : USERTrust RSA Certification Authority certificate."

Key deadlines for this transition:

  • Sandbox Environment: January 20, 2025
  • Production Environment: February 24, 2025

Who Needs to Take Action?

No Action Required for

  • Third-Party Notification Services (Firebase Cloud Messaging/FCM, Amazon SNS, etc.)
    Service providers handle certificate updates
  • Client Applications (iOS, macOS apps)
    Trust store managed automatically by Apple OS
  • Mobile App Developers
    No Xcode changes or App Store resubmissions needed

Server Operators Must Act

You need to update your server infrastructure if:

  • Your backend directly POSTs to APNs endpoints
  • You maintain your own server certificate trust store

Updating Your Server Trust Store

1. Verify Current Certificate Status

Most modern operating systems already include the required certificate. Verify its presence:

Linux (Ubuntu/Debian):

bash
ls /etc/ssl/certs | grep USERTrust_RSA_Certification_Authority.pem

Linux (CentOS/RHEL):

bash
ls /etc/pki/ca-trust/source/anchors/ | grep USERTrust_RSA

2. Manually Add Certificate (If Missing)

Download the certificate using the official Apple link or from Sectigo:

Installation commands:

bash
# Ubuntu/Debian
sudo cp USERTrust_RSA_Certification_Authority.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates

# CentOS/RHEL
sudo cp USERTrust_RSA_Certification_Authority.pem /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust

Windows Server:

  1. Download .crt file
  2. Open MMC → Add Certificates Snap-in (Computer Account)
  3. Import to "Trusted Root Certification Authorities"

3. Test APNs Connectivity

Validate via OpenSSL against Apple's sandbox:

bash
openssl s_client -connect 17.188.143.34:443 \
  -servername api.sandbox.push.apple.com \
  -verifyCAfile USERTrustRSACertificationAuthority.crt \
  -showcerts

Successful connection output should show:

Verify return code: 0 (ok)

Maintaining Continuous Service

  1. Ensure both old and new certificates remain in trust stores during transition
  2. APNs client certificates (used for authentication) require no changes
  3. Backend stack compatibility considerations:
Server PlatformUpdate Required?Verification Method
Ubuntu 22.04+No (Pre-installed)ls /etc/ssl/certs/
Ubuntu <20.04LikelyManual installation
CentOS/RHEL 8+Unlikelyupdate-ca-trust check
Windows Server 2019+Verify via MMCGUI certificate manager
Custom Trust StoresHighly LikelyValidate with OpenSSL test

Troubleshooting Common Issues

  • Certificate Not Found: Download directly from Apple's provided link
  • SSL Handshake Failures: Ensure both old/new certificates coexist until deadlines
  • Legacy System Support: Update OpenSSL libraries if connecting to APNs via TLS 1.2+

After implementing changes, monitor APNs delivery logs for improved success rates during transition windows.

For additional resources, refer to: